[Snort-sigs] Basic question [] syntax question about excluding a subnet of a larger subnet...

Lorine Ruotolo lori.ruotolo at ...12...
Thu Mar 16 13:50:09 EST 2006


What if he wrote a pass signature for the range he didn't want to check 
before the alert signature?

Wouldn't that work?


>From: Matt Kettler <mkettler at ...189...>
>To: Gentoo-Wally <gentoowally at ...2420...>
>CC: snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] Basic question [] syntax question about excluding 
>a subnet of a larger subnet...
>Date: Thu, 16 Mar 2006 15:50:27 -0500
>
>Gentoo-Wally wrote:
> >
> > Question...
> >
> > What is the correct way to exclude a subnet from a larger network in a
> > signature?
>
>You have to define it as multiple subnet additions. You can't subtract out 
>a
>range that's already been added, because the behavior of a , is an "or"
>operation, not an AND.
>
> >
> > var NET1 10.0.0.0/8 <http://10.0.0.0/8>
> > var NET2 10.7.0.0/16 <http://10.7.0.0/16>
> > var NET3 10.14.0.0/16 <http://10.14.0.0/16>
> >
> > alert tcp [$NET1,!$NET2] ANY -> $NET3 ANY ...blah, blah, blah...
> >
> > Is that the right way to watch for something from NET1 but not in NET2
>
>No. That won't work, you can't do subtraction.
>
>[$NET1,!$NET2]  will match anything in NET1 *OR* anything not in NET2.
>
>Since net2 is a subset of net1 this makes it a logical equivalent to "any". 
>The
>first clause will match all of net1, *including* the IPs in net2. The 
>second
>clause will match all of the rest of IP space. As long as either clause is
>satisfied, it's a match.
>
>And it has to work this way, unless the syntax changes to allow 
>substantially
>more complex expressions. If the existing , became an "AND" operation 
>things
>like [10.0.0.1/32,10.0.0.2/32] would not work correctly. That would 
>suddenly
>become a match of nothing, instead of a match of either of two IPs.
>
>
>
>
>
>
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live 
>webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/





More information about the Snort-sigs mailing list